httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <shen...@opensslfoundation.com>
Subject Re: Segfault in openssl's err_cmp when using SSLCryptoDevice and new SSLProxyMachineCertificateChainFile
Date Fri, 03 Feb 2012 18:27:28 GMT
On 03/02/2012 17:45, Daniel Ruggeri wrote:
> On 2/2/2012 1:02 PM, Daniel Ruggeri wrote:
>> Since this happens with every attempt to start, I suspect it has nothing
>> to do with the new directive and more to do with something I did on the
>> openssl build.
> 
> I was, indeed, doing something stupid. A build with openssl 1.0.0g
> replicates the behavior of 0.9.8g in that it fails when
> SSLProxyMachineCertificateChainFile is enabled. The annoying part is
> that (due to the error I get when running in dbx) I can get no useful
> information in a debug session from Solaris.
> 
> ... so I've switched to RHEL and gdb and have interesting information.
> Under Linux, I get this error on init:
> [Fri Feb 03 10:56:21 2012] [error] Init: Failed to enable Crypto Device
> API `chil'
> [Fri Feb 03 10:56:21 2012] [error] SSL Library Error: 2164682852
> error:81067064:CHIL engine:HWCRHK_INIT:already loaded
> [Fri Feb 03 10:56:21 2012] [error] SSL Library Error: 638287981
> error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init failed
> 
> This only happens when SSLProxyMachineCertificateChainFile is set....
> With some quick debugging I see that the hwcrhk_finish DOES NOT get
> called during ssl_cleanup_pre_config... but DOES get called when the
> directive has been removed. To me, it looks like httpd has not
> registered the engine for cleanup, but that certainly shouldn't be
> impacted by this patch. It seems something in the process of loading the
> store is complicating things.
> 
> I'll continue poking around, but pointers are certainly appreciated.
> 

Hmm... the ENGINE code is careful not to shutdown an ENGINE if keys exist which
make use of it.

So there is a possibility that the some chain verification leaves a reference to
an RSA key which prevents the ENGINE from closing down completely.

In engines/e_chil.c try commenting out the line containing
ERR_load_HWCRHK_strings().

Only side effect of doing that is you will only get numerical error codes and
not error strings.

Steve.
-- 
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com

Mime
View raw message